Hi,everyone. The following code can work well in driver, but return error in RING3 program. Why?
Code: Select all
If I move this code to RING3 program(remove OBJ_KERNEL_HANDLE flag in OBJECT_ATTRIBUTES), ZwOpenFile return 0xC000000D, why?PVOID NativeLoadLibrary(WCHAR *filename, PHANDLE pFileHanle, PHANDLE pSectionHandle)
{
NTSTATUS ntstatus=0;
HANDLE hFile=NULL;
OBJECT_ATTRIBUTES oattr= {0};
IO_STATUS_BLOCK iosb= {0};
UNICODE_STRING uDllName;
HANDLE hSection;
PVOID pBaseAddr = NULL;
SIZE_T viewSize = 0;
RtlInitUnicodeString(&uDllName, filename);
InitializeObjectAttributes(&oattr, &uDllName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
ntstatus = ZwOpenFile(&hFile, GENERIC_READ, &oattr, &iosb, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_ALERT);
if (!NT_SUCCESS(ntstatus))
{
DbgPrint("[NativeLoadLibrary] ZwOpenFile Failure: %x!\n",ntstatus);
return 0;
}
ntstatus = ZwCreateSection(&hSection, SECTION_MAP_READ | SECTION_MAP_WRITE, NULL, 0, PAGE_EXECUTE_READWRITE, 0x1000000, hFile);
if (!NT_SUCCESS(ntstatus))
{
DbgPrint("[NativeLoadLibrary] ZwCreateSection Failure: %x!\n",ntstatus);
ZwClose(hFile);
return 0;
}
ntstatus = ZwMapViewOfSection(hSection, NtCurrentProcess(), &pBaseAddr, 0, 1024, 0, &viewSize, ViewShare, MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
if (!NT_SUCCESS(ntstatus))
{
DbgPrint("[NativeLoadLibrary] ZwMapViewOfSection Failure: %x!\n",ntstatus);
ZwClose(hFile);
ZwClose(hSection);
return 0;
}
*pFileHanle=hFile;
*pSectionHandle=hSection;
return pBaseAddr;
}
